diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/certmonger/haproxy.pp | 16 | ||||
| -rw-r--r-- | manifests/certmonger/haproxy_dirs.pp | 55 | ||||
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 6 | ||||
| -rw-r--r-- | manifests/profile/base/cinder/api.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 22 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/ironic.pp | 5 | ||||
| -rw-r--r-- | manifests/profile/base/nova/compute.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 20 | ||||
| -rw-r--r-- | manifests/profile/base/rabbitmq.pp | 15 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/clustercheck.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql_bundle.pp | 192 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/haproxy_bundle.pp | 115 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/manila.pp | 22 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/rabbitmq_bundle.pp | 128 | ||||
| -rw-r--r-- | manifests/ui.pp | 34 |
16 files changed, 451 insertions, 216 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index a5d1bf8..d4f4ad2 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -84,19 +84,23 @@ define tripleo::certmonger::haproxy ( postsave_cmd => $postsave_cmd, principal => $principal, wait => true, + tag => 'haproxy-cert', require => Class['::certmonger'], } concat { $service_pem : - ensure => present, - mode => '0640', - owner => 'haproxy', - group => 'haproxy', - require => Package[$::haproxy::params::package_name], + ensure => present, + mode => '0640', + owner => 'haproxy', + group => 'haproxy', + tag => 'haproxy-cert', } + Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem] + concat::fragment { "${title}-cert-fragment": target => $service_pem, source => $service_certificate, order => '01', + tag => 'haproxy-cert', require => Certmonger_certificate["${title}-cert"], } @@ -106,6 +110,7 @@ define tripleo::certmonger::haproxy ( target => $service_pem, source => $ca_pem, order => '10', + tag => 'haproxy-cert', require => Class['tripleo::certmonger::ca::local'], } } @@ -114,6 +119,7 @@ define tripleo::certmonger::haproxy ( target => $service_pem, source => $service_key, order => 20, + tag => 'haproxy-cert', require => Certmonger_certificate["${title}-cert"], } } diff --git a/manifests/certmonger/haproxy_dirs.pp b/manifests/certmonger/haproxy_dirs.pp new file mode 100644 index 0000000..86058c3 --- /dev/null +++ b/manifests/certmonger/haproxy_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the haproxy License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.haproxy.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::haproxy_dirs +# +# Creates the necessary directories for haproxy's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where haproxy's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where haproxy's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::haproxy_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> + } +} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 7a6559e..2ac4b6e 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -80,13 +80,16 @@ class tripleo::profile::base::certmonger_user ( unless empty($haproxy_certificates_specs) { $reload_haproxy = ['systemctl reload haproxy'] Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + if defined(Class['::haproxy']) { + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } } else { $reload_haproxy = [] } class { '::tripleo::certmonger::ca::crl' : reload_cmds => $reload_haproxy, } + Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { @@ -98,6 +101,7 @@ class tripleo::profile::base::certmonger_user ( ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) } unless empty($haproxy_certificates_specs) { + include ::tripleo::certmonger::haproxy_dirs ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 54880ad..892e4ed 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,6 +43,12 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Cinder's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), + $keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'), $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { @@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { - include ::cinder::api + class { '::cinder::api': + keymgr_api_class => $keymgr_api_class, + } include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 3bf41cf..7e7d68b 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -47,6 +47,10 @@ # limit for the mysql service. # Defaults to false # +# [*innodb_buffer_pool_size*] +# (Optional) Configure the size of the MySQL buffer pool. +# Defaults to hiera('innodb_buffer_pool_size', undef) +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -76,6 +80,7 @@ class tripleo::profile::base::database::mysql ( $certificate_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, + $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), $manage_resources = true, $mysql_server_options = {}, $mysql_max_connections = hiera('mysql_max_connections', undef), @@ -123,14 +128,15 @@ class tripleo::profile::base::database::mysql ( # MysqlNetwork and ControllerHostnameResolveNetwork in ServiceNetMap $mysql_server_default = { 'mysqld' => { - 'bind-address' => $bind_address, - 'max_connections' => $mysql_max_connections, - 'open_files_limit' => '-1', - 'innodb_file_per_table' => 'ON', - 'ssl' => $enable_internal_tls, - 'ssl-key' => $tls_keyfile, - 'ssl-cert' => $tls_certfile, - 'ssl-ca' => undef, + 'bind-address' => $bind_address, + 'max_connections' => $mysql_max_connections, + 'open_files_limit' => '-1', + 'innodb_buffer_pool_size' => $innodb_buffer_pool_size, + 'innodb_file_per_table' => 'ON', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 5f6d97c..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -57,7 +57,7 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index 2739f33..7e6efec 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -70,8 +70,9 @@ class tripleo::profile::base::ironic ( if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::ironic': - sync_db => $sync_db, - default_transport_url => os_transport_url({ + sync_db => $sync_db, + db_online_data_migrations => $sync_db, + default_transport_url => os_transport_url({ 'transport' => $oslomsg_rpc_proto, 'hosts' => $oslomsg_rpc_hosts, 'port' => sprintf('%s', $oslomsg_rpc_port), diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 3eae880..a9a1f94 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -27,9 +27,16 @@ # (Optional) Whether or not Cinder is backed by NFS. # Defaults to hiera('cinder_enable_nfs_backend', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Nova's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager') +# class tripleo::profile::base::nova::compute ( $step = Integer(hiera('step')), $cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false), + $keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'), ) { if $step >= 4 { @@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute ( include ::tripleo::profile::base::nova # deploy basic bits for nova-compute - include ::nova::compute + class { '::nova::compute': + keymgr_api_class => $keymgr_api_class, + } # If Service['nova-conductor'] is in catalog, make sure we start it # before nova-compute. Service<| title == 'nova-conductor' |> -> Service['nova-compute'] diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index d0b4a05..fbe5113 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -98,15 +98,6 @@ class tripleo::profile::base::rabbitmq ( $tls_keyfile = undef } - # IPv6 environment, necessary for RabbitMQ. - if $ipv6 { - $rabbit_env = merge($environment, { - 'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"', - 'RABBITMQ_CTL_ERL_ARGS' => '"-proto_dist inet6_tcp"' - }) - } else { - $rabbit_env = $environment - } if $inet_dist_interface { $real_kernel_variables = merge( $kernel_variables, @@ -125,10 +116,11 @@ class tripleo::profile::base::rabbitmq ( cluster_nodes => $nodes, config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } # when running multi-nodes without Pacemaker if $manage_service { @@ -144,10 +136,11 @@ class tripleo::profile::base::rabbitmq ( class { '::rabbitmq': config_kernel_variables => $kernel_variables, config_variables => $config_variables, - environment_variables => $rabbit_env, + environment_variables => $environment, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, + ipv6 => $ipv6, } } } diff --git a/manifests/profile/pacemaker/clustercheck.pp b/manifests/profile/pacemaker/clustercheck.pp index 958f4a2..c08bafc 100644 --- a/manifests/profile/pacemaker/clustercheck.pp +++ b/manifests/profile/pacemaker/clustercheck.pp @@ -26,14 +26,19 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to hiera('mysql_bind_host') # +# [*clustercheck_user*] +# (Optional) The name of the clustercheck user. +# Defaults to 'clustercheck' +# # [*clustercheck_password*] # (Optional) The password for the clustercheck user. -# Defaults to hiera('mysql::server::root_password') +# Defaults to hiera('mysql_clustercheck_password') # # class tripleo::profile::pacemaker::clustercheck ( $step = Integer(hiera('step')), - $clustercheck_password = hiera('mysql::server::root_password'), + $clustercheck_user = 'clustercheck', + $clustercheck_password = hiera('mysql_clustercheck_password'), $bind_address = hiera('mysql_bind_host'), ) { @@ -43,7 +48,7 @@ class tripleo::profile::pacemaker::clustercheck ( mode => '0600', owner => 'mysql', group => 'mysql', - content => "MYSQL_USERNAME=root\n + content => "MYSQL_USERNAME=${clustercheck_user}\n MYSQL_PASSWORD='${clustercheck_password}'\n MYSQL_HOST=localhost\n", } diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 21d671c..e07ac2e 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -34,6 +34,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -50,13 +71,16 @@ # # class tripleo::profile::pacemaker::database::mysql_bundle ( - $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), - $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $pcs_tries = hiera('pcs_tries', 20), - $step = Integer(hiera('step')), + $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), + $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $pcs_tries = hiera('pcs_tries', 20), + $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -64,16 +88,11 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $pacemaker_master = false } - # use only mysql_node_names when we land a patch in t-h-t that - # switches to autogenerating these values from composable services - # The galera node names need to match the pacemaker node names... so if we - # want to use FQDNs for this, the cluster will not finish bootstrapping, - # since all the nodes will be marked as slaves. For now, we'll stick to the - # short name which is already registered in pacemaker until we get around - # this issue. - $galera_node_names_lookup = hiera('mysql_short_node_names', hiera('mysql_node_names', $::hostname)) + $galera_node_names_lookup = hiera('mysql_short_node_names', $::hostname) + $galera_fqdns_names_lookup = hiera('mysql_node_names', $::hostname) + if is_array($galera_node_names_lookup) { - $galera_nodes = downcase(join($galera_node_names_lookup, ',')) + $galera_nodes = downcase(join($galera_fqdns_names_lookup, ',')) } else { $galera_nodes = downcase($galera_node_names_lookup) } @@ -87,6 +106,19 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( } $cluster_host_map_string = join($host_map_array, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', @@ -116,7 +148,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", }, 'mysqld_safe' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', @@ -195,6 +227,74 @@ MYSQL_HOST=localhost\n", } # lint:endignore } + + $storage_maps = { + 'mysql-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/mysql.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'mysql-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'mysql-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'mysql-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'mysql-lib' => { + 'source-dir' => '/var/lib/mysql', + 'target-dir' => '/var/lib/mysql', + 'options' => 'rw', + }, + 'mysql-log-mariadb' => { + 'source-dir' => '/var/log/mariadb', + 'target-dir' => '/var/log/mariadb', + 'options' => 'rw', + }, + 'mysql-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $mysql_storage_maps_tls = { + 'mysql-pki-gcomm-key' => { + 'source-dir' => '/etc/pki/tls/private/mysql.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key', + 'options' => 'ro', + }, + 'mysql-pki-gcomm-cert' => { + 'source-dir' => '/etc/pki/tls/certs/mysql.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt', + 'options' => 'ro', + }, + } + if $ca_file { + $ca_storage_maps_tls = { + 'mysql-pki-gcomm-ca' => { + 'source-dir' => $ca_file, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_file}", + 'options' => 'ro', + }, + } + } else { + $ca_storage_maps_tls = {} + } + $storage_maps_tls = merge($mysql_storage_maps_tls, $ca_storage_maps_tls) + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'galera-bundle': image => $mysql_docker_image, replicas => $galera_nodes_count, @@ -208,63 +308,7 @@ MYSQL_HOST=localhost\n", options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${control_port}", - storage_maps => { - 'mysql-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/mysql.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'mysql-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'mysql-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'mysql-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'mysql-lib' => { - 'source-dir' => '/var/lib/mysql', - 'target-dir' => '/var/lib/mysql', - 'options' => 'rw', - }, - 'mysql-log-mariadb' => { - 'source-dir' => '/var/log/mariadb', - 'target-dir' => '/var/log/mariadb', - 'options' => 'rw', - }, - 'mysql-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'mysql-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'mysql-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'mysql-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'mysql-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } pacemaker::resource::ocf { 'galera': diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp index b785ea7..1b9a191 100644 --- a/manifests/profile/pacemaker/haproxy_bundle.pp +++ b/manifests/profile/pacemaker/haproxy_bundle.pp @@ -30,10 +30,34 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*ca_bundle*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to hiera('tripleo::haproxy::ca_bundle', undef) +# +# [*crl_file*] +# (Optional) The path to the file that contains the certificate +# revocation list. It's only used if internal TLS is enabled. +# Defaults to hiera('tripleo::haproxy::crl_file', undef) +# # [*deployed_ssl_cert_path*] # (Optional) The filepath of the certificate as it will be stored in # the controller. -# Defaults to '/etc/pki/tls/private/overcloud_endpoint.pem' +# Defaults to hiera('tripleo::haproxy::service_certificate', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*internal_certs_directory*] +# (Optional) Directory the holds the certificates to be used when +# when TLS is enabled in the internal network +# Defaults to undef +# +# [*internal_keys_directory*] +# (Optional) Directory the holds the certificates to be used when +# when TLS is enabled in the internal network +# Defaults to undef # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -45,12 +69,17 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::haproxy_bundle ( - $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), - $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), - $enable_load_balancer = hiera('enable_load_balancer', true), - $deployed_ssl_cert_path = '/etc/pki/tls/private/overcloud_endpoint.pem', - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), + $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $ca_bundle = hiera('tripleo::haproxy::ca_bundle', undef), + $crl_file = hiera('tripleo::haproxy::crl_file', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $internal_certs_directory = undef, + $internal_keys_directory = undef, + $deployed_ssl_cert_path = hiera('tripleo::haproxy::service_certificate', undef), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { include ::tripleo::profile::base::haproxy @@ -90,14 +119,8 @@ class tripleo::profile::pacemaker::haproxy_bundle ( $haproxy_nodes = hiera('haproxy_short_node_names') $haproxy_nodes_count = count($haproxy_nodes) - pacemaker::resource::bundle { 'haproxy-bundle': - image => $haproxy_docker_image, - replicas => $haproxy_nodes_count, - location_rule => $haproxy_location_rule, - container_options => 'network=host', - options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', - run_command => '/bin/bash /usr/local/bin/kolla_start', - storage_maps => { + + $storage_maps = { 'haproxy-cfg-files' => { 'source-dir' => '/var/lib/kolla/config_files/haproxy.json', 'target-dir' => '/var/lib/kolla/config_files/config.json', @@ -143,12 +166,68 @@ class tripleo::profile::pacemaker::haproxy_bundle ( 'target-dir' => '/dev/log', 'options' => 'rw', }, - 'haproxy-cert' => { + }; + + if $deployed_ssl_cert_path { + $cert_storage_maps = { + 'haproxy-cert' => { 'source-dir' => $deployed_ssl_cert_path, - 'target-dir' => $deployed_ssl_cert_path, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${deployed_ssl_cert_path}", 'options' => 'ro', }, - }, + } + } else { + $cert_storage_maps = {} + } + + if $enable_internal_tls { + $haproxy_storage_maps = { + 'haproxy-pki-certs' => { + 'source-dir' => $internal_certs_directory, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_certs_directory}", + 'options' => 'ro', + }, + 'haproxy-pki-keys' => { + 'source-dir' => $internal_keys_directory, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_keys_directory}", + 'options' => 'ro', + }, + } + if $ca_bundle { + $ca_storage_maps = { + 'haproxy-pki-ca-file' => { + 'source-dir' => $ca_bundle, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_bundle}", + 'options' => 'ro', + }, + } + } else { + $ca_storage_maps = {} + } + if $crl_file { + $crl_storage_maps = { + 'haproxy-pki-crl-file' => { + 'source-dir' => $crl_file, + 'target-dir' => $crl_file, + 'options' => 'ro', + }, + } + } else { + $crl_storage_maps = {} + } + $storage_maps_internal_tls = merge($haproxy_storage_maps, $ca_storage_maps, $crl_storage_maps) + } else { + $storage_maps_internal_tls = {} + } + + pacemaker::resource::bundle { 'haproxy-bundle': + image => $haproxy_docker_image, + replicas => $haproxy_nodes_count, + location_rule => $haproxy_location_rule, + container_options => 'network=host', + options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', + run_command => '/bin/bash /usr/local/bin/kolla_start', + storage_maps => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls), } $control_vip = hiera('controller_virtual_ip') tripleo::pacemaker::haproxy_with_vip { 'haproxy_and_control_vip': diff --git a/manifests/profile/pacemaker/manila.pp b/manifests/profile/pacemaker/manila.pp index c22a033..25d389a 100644 --- a/manifests/profile/pacemaker/manila.pp +++ b/manifests/profile/pacemaker/manila.pp @@ -134,17 +134,19 @@ class tripleo::profile::pacemaker::manila ( cephfs_enable_snapshots => hiera('manila::backend::cephfsnative::cephfs_enable_snapshots'), } - ceph::key { "client.${cephfs_auth_id}" : - secret => hiera('manila::backend::cephfsnative::ceph_client_key'), - keyring_path => $keyring_path, - # inject the new key into ceph cluster only if ceph is deployed by - # tripleo (if external ceph is used it should be added manually) - inject => $ceph_mds_enabled, - user => 'manila', - cap_mds => 'allow *', - cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ + if !defined(Resource['ceph::key', "client.${cephfs_auth_id}"]) { + ceph::key { "client.${cephfs_auth_id}" : + secret => hiera('manila::backend::cephfsnative::ceph_client_key'), + keyring_path => $keyring_path, + # inject the new key into ceph cluster only if ceph is deployed by + # tripleo (if external ceph is used it should be added manually) + inject => $ceph_mds_enabled, + user => 'manila', + cap_mds => 'allow *', + cap_mon => 'allow r, allow command \"auth del\", allow command \"auth caps\", \ allow command \"auth get\", allow command \"auth get-or-create\"', - cap_osd => 'allow rw' + cap_osd => 'allow rw' + } } ceph_config { diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp index 5dd22d2..4d6b9af 100644 --- a/manifests/profile/pacemaker/rabbitmq_bundle.pp +++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp @@ -44,6 +44,10 @@ # (Optional) The list of rabbitmq nodes names # Defaults to hiera('rabbitmq_node_names') # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( $erlang_cookie = hiera('rabbitmq::erlang_cookie'), $user_ha_queues = hiera('rabbitmq::nr_ha_queues', 0), $rabbit_nodes = hiera('rabbitmq_node_names'), + $enable_internal_tls = hiera('enable_internal_tls', false), $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( } } + $storage_maps = { + 'rabbitmq-cfg-files' => { + 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', + 'target-dir' => '/var/lib/kolla/config_files/config.json', + 'options' => 'ro', + }, + 'rabbitmq-cfg-data' => { + 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', + 'target-dir' => '/var/lib/kolla/config_files/src', + 'options' => 'ro', + }, + 'rabbitmq-hosts' => { + 'source-dir' => '/etc/hosts', + 'target-dir' => '/etc/hosts', + 'options' => 'ro', + }, + 'rabbitmq-localtime' => { + 'source-dir' => '/etc/localtime', + 'target-dir' => '/etc/localtime', + 'options' => 'ro', + }, + 'rabbitmq-lib' => { + 'source-dir' => '/var/lib/rabbitmq', + 'target-dir' => '/var/lib/rabbitmq', + 'options' => 'rw', + }, + 'rabbitmq-pki-extracted' => { + 'source-dir' => '/etc/pki/ca-trust/extracted', + 'target-dir' => '/etc/pki/ca-trust/extracted', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-ca-bundle-trust-crt' => { + 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/cert.pem', + 'target-dir' => '/etc/pki/tls/cert.pem', + 'options' => 'ro', + }, + 'rabbitmq-dev-log' => { + 'source-dir' => '/dev/log', + 'target-dir' => '/dev/log', + 'options' => 'rw', + }, + } + + if $enable_internal_tls { + $storage_maps_tls = { + 'rabbitmq-pki-cert' => { + 'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt', + 'options' => 'ro', + }, + 'rabbitmq-pki-key' => { + 'source-dir' => '/etc/pki/tls/private/rabbitmq.key', + 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key', + 'options' => 'ro', + }, + } + } else { + $storage_maps_tls = {} + } + pacemaker::resource::bundle { 'rabbitmq-bundle': image => $rabbitmq_docker_image, replicas => $rabbitmq_nodes_count, @@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${rabbitmq_docker_control_port}", - storage_maps => { - 'rabbitmq-cfg-files' => { - 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json', - 'target-dir' => '/var/lib/kolla/config_files/config.json', - 'options' => 'ro', - }, - 'rabbitmq-cfg-data' => { - 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/', - 'target-dir' => '/var/lib/kolla/config_files/src', - 'options' => 'ro', - }, - 'rabbitmq-hosts' => { - 'source-dir' => '/etc/hosts', - 'target-dir' => '/etc/hosts', - 'options' => 'ro', - }, - 'rabbitmq-localtime' => { - 'source-dir' => '/etc/localtime', - 'target-dir' => '/etc/localtime', - 'options' => 'ro', - }, - 'rabbitmq-lib' => { - 'source-dir' => '/var/lib/rabbitmq', - 'target-dir' => '/var/lib/rabbitmq', - 'options' => 'rw', - }, - 'rabbitmq-pki-extracted' => { - 'source-dir' => '/etc/pki/ca-trust/extracted', - 'target-dir' => '/etc/pki/ca-trust/extracted', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-ca-bundle-trust-crt' => { - 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt', - 'options' => 'ro', - }, - 'rabbitmq-pki-cert' => { - 'source-dir' => '/etc/pki/tls/cert.pem', - 'target-dir' => '/etc/pki/tls/cert.pem', - 'options' => 'ro', - }, - 'rabbitmq-dev-log' => { - 'source-dir' => '/dev/log', - 'target-dir' => '/dev/log', - 'options' => 'rw', - }, - }, + storage_maps => merge($storage_maps, $storage_maps_tls), } # The default nr of ha queues is ceiling(N/2) diff --git a/manifests/ui.pp b/manifests/ui.pp index d744044..cb1da21 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -31,19 +31,9 @@ # The port on which the UI is listening. # Defaults to 3000 # -# [*enabled_languages*] -# Which languages to show in the UI. -# A hash. -# Defaults to -# { -# 'de' => 'German', -# 'en' => 'English', -# 'es' => 'Spanish', -# 'id' => 'Indonesian', -# 'ja' => 'Japanese', -# 'ko-KR' => 'Korean', -# 'zh-CN' => 'Simplified Chinese' -# } +# [*excluded_languages*] +# A list of languages that shouldn't be enabled in the UI, e.g. ['en', 'de'] +# Defaults to [] # # [*endpoint_proxy_keystone*] # The keystone proxy endpoint url @@ -107,19 +97,11 @@ # Defaults to 'tripleo' # class tripleo::ui ( - $servername = $::fqdn, - $bind_host = hiera('controller_host'), - $ui_port = 3000, - $zaqar_default_queue = 'tripleo', - $enabled_languages = { - 'de' => 'German', - 'en' => 'English', - 'es' => 'Spanish', - 'id' => 'Indonesian', - 'ja' => 'Japanese', - 'ko-KR' => 'Korean', - 'zh-CN' => 'Simplified Chinese' - }, + $servername = $::fqdn, + $bind_host = hiera('controller_host'), + $ui_port = 3000, + $zaqar_default_queue = 'tripleo', + $excluded_languages = [], $endpoint_proxy_zaqar = undef, $endpoint_proxy_keystone = undef, $endpoint_proxy_heat = undef, |